Geek Answers Handbook

What can cause the socket () "Permission denied" error?

In Android 4, the following simple line of C-code with Permission denied error does not work as root :

 online_socket = socket(AF_INET, SOCK_DGRAM, 0);

I have root access to the device, but you want to start this process as an unprivileged user.

Note that the error occurs even before the socket binding.

I think there are some security settings that need to be configured? Can anyone tell me where to look?

In this case, O / S is really Android, but I think the problem is really Linux related (since Android is based on the Linux kernel).

For those who are wondering: this is a special program that works in a full ( debootstrap ped) installation of Debian Jessie, running in Android 4.

Update

I found out that Android Kernel has a special extension CONFIG_ANDROID_PARANOID_NETWORK , which allows access to the network only to users in the groups AID_INET and AID_NET_RAW .

However, even after adding the user to these groups, socket() is still rejected (and ping seems to have the same BTW problem).

 uid=5(imp) gid=51(imp) groups=51(imp),3003(aid_inet),3004(aid_net_raw),3005(aid_admin),3001(aid_bt),3002(aid_bt_net)

I can’t say if this CONFIG_ANDROID_PARANOID_NETWORK flag is CONFIG_ANDROID_PARANOID_NETWORK in this particular kernel, since I do not have access to the configuration file.

Update 2

I found out that both root and my unprivileged user imp can actually successfully call socket() - at least using the group setting described above.

However, calling the same process as root and then switching to imp using the seteuid() system call does not allow socket() to succeed. Any ideas?

+9
android sockets permissions
source share
2 answers

As it turns out, Android uses a special kernel patch, which is activated using CONFIG_ANDROID_PARANOID_NETWORK . This patch allows network access to system users who belong to certain special groups with hard-coded identifiers.

 groupadd -g 3001 aid_bt groupadd -g 3002 aid_bt_net groupadd -g 3003 aid_inet groupadd -g 3004 aid_net_raw groupadd -g 3005 aid_admin

This is because Android usually only adds users (i.e. applications) to these groups when a particular application has network permissions.

Adding a user to these groups gives him the right to use socket() , as described in the question:

 usermod -a -G aid_bt,aid_bt_net,aid_inet,aid_net_raw,aid_admin someuser

However , when a process uses seteuid() to switch from root to an unprivileged user (for example, someuser ), then it is not enough (or perhaps irrelevant) that this efficient user has aid_* membership. Instead, the root must explicitly be a member of these groups:

 usermod -a -G aid_bt,aid_bt_net,aid_inet,aid_net_raw,aid_admin root

This solved the problem for me.

Note that I also tried to play with setegid() and similar as an alternative, but none of this helped ...

+13
source share

For those struggling with apt-get on Android (with CONFIG_ANDROID_PARANOID_NETWORK turned CONFIG_ANDROID_PARANOID_NETWORK which restricts network access for users who are members of certain groups), there are two workarounds:

  1. groupadd -g 3003 aid_inet && usermod -g nogroup -g aid_inet _apt
  2. echo 'APT::Sandbox::User "root";' >/etc/apt/apt.conf.d/01-android-nosandbox

This is because apt -g et runs the http / https / gpgv methods on behalf of the sandbox user, which is _apt by default:

 root 1465 0.0 0.0 31408 4956 pts/0 S 11:48 0:00 | | \_ -bash root 23814 0.1 0.1 65300 10124 pts/0 T 18:58 0:00 | | \_ apt-get update _apt 23818 0.0 0.1 90208 8852 pts/0 T 18:58 0:00 | | | \_ /usr/lib/apt/methods/http _apt 23819 0.0 0.1 90208 8828 pts/0 T 18:58 0:00 | | | \_ /usr/lib/apt/methods/https ...
0
source share

More articles:


All Articles